Long-Secret Stingray manuals detail how police can spy on phones

Harris Corp.’s Stingray surveillance device has been one of the most closely guarded secrets in law enforcement for more than 15 years.

The company and its police clients across the United States have fought to keep information about the mobile phone-monitoring boxes from the public against which they are used.

The Intercept has obtained several Harris instruction manuals spanning roughly 200 pages and meticulously detailing how to create a cellular surveillance dragnet. Harris has fought to keep its surveillance equipment, which carries price tags in the low six figures, hidden from both privacy activists and the general public, arguing that information about the gear could help criminals.

Accordingly, an older Stingray manual released under the Freedom of Information Act last year was almost completely redacted. So too have law enforcement agencies at every level, across the country, evaded almost all attempts to learn how and why these extremely powerful tools are being used — though court battles have made it clear Stingrays are often deployed without any warrant. The San Bernardino Sheriff’s Department alone has snooped via Stingray, sans warrant, over 300 times.

Richard Tynan, a technologist with Privacy International, told that the “manuals released today offer the most up-to-date view on the operation of” Stingrays and similar cellular surveillance devices, with powerful capabilities that threaten civil liberties, communications infrastructure, and potentially national security. He noted that the documents show the “Stingray II” device can impersonate four cellular communications towers at once, monitoring up to four cellular provider networks simultaneously, and with an add-on can operate on so-called 2G, 3G, and 4G networks simultaneously.

“There really isn’t any place for innocent people to hide from a device such as this,” Tynan wrote in an email. “As more of our infrastructure, homes, environment, and transportation are connected wirelessly to the internet, such technologies really do pose a massive risk to public safety and security.” And the Harris software isn’t just extremely powerful, Tynan added, but relatively simple, providing any law enforcement agent with a modicum of computer literacy the ability to spy on large groups of people:

The ease with which the StingRay II can be used is quite striking and there do not seem to be any technical safeguards against misuse. … It also allows the operator to configure virtually every aspect of the operation of the fake cell tower. … The Gemini platform also allows for the logging and analysis of data to and from the network and “Once a message to/from any active subscriber in the Subscriber list is detected, Gemini will notify the user.” How many innocent communications of the public are analyzed during this process?

Tynan also raised questions about the extent to which Stingrays may be disrupting the communications infrastructure, including existing cellular towers.

Harris declined to comment. In a 2014 letter to the Federal Communications Commission, the company argued that if the owner’s manuals were released under the Freedom of Information Act, this would “harm Harris’s competitive interests” and “criminals and terrorist[s] would have access to information that would allow them to build countermeasures.” But Stingrays are known for spying on low-level marijuana dealers and other domestic targets, not al Qaeda; as the Electronic Frontier Foundation’s Jennifer Lynch said in December, “I am not aware of any case in which a police agency has used a cell-site simulator to find a terrorist.” Meanwhile, it is already publicly known that the NSA uses Stingray-like devices to locate suspected terrorists as part of a system known as Gilgamesh. Nathan Wessler, an attorney with the American Civil Liberties Union, told that “when the most likely ‘countermeasure’ is someone turning their phone off or leaving it at home, it is hard to understand how public release of a manual like this could cause harm.” And furthermore, said Wessler, “It is in the public interest to understand the general capabilities of this technology, so that lawmakers and judges can exercise appropriate oversight and protect people’s privacy rights.”

The documents described and linked below, instruction manuals for the software used by Stingray operators, were provided to as part of a larger cache believed to have originated with the Florida Department of Law Enforcement. Two of them contain a “distribution warning” saying they contain “Proprietary Information and the release of this document and the information contained herein is prohibited to the fullest extent allowable by law.”

Although “Stingray” has become a catch-all name for devices of its kind, often referred to as “IMSI catchers,” the manuals include instructions for a range of other Harris surveillance boxes, including the Hailstorm, ArrowHead, AmberJack, and KingFish. They make clear the capability of those devices and the Stingray II to spy on cellphones by, at minimum, tracking their connection to the simulated tower, information about their location, and certain “over the air” electronic messages sent to and from them. Wessler added that parts of the manuals make specific reference to permanently storing this data, something that American law enforcement has denied doing in the past.

One piece of Windows software used to control Harris’s spy boxes, software that appears to be sold under the name “Gemini,” allows police to track phones across 2G, 3G, and LTE networks. Another Harris app, “iDen Controller,” provides a litany of fine-grained options for tracking phones. A law enforcement agent using these pieces of software along with Harris hardware could not only track a large number of phones as they moved throughout a city but could also apply nicknames to certain phones to keep track of them in the future. The manual describing how to operate iDEN, the lengthiest document of the four at 156 pages, uses an example of a target (called a “subscriber”) tagged alternately as Green Boy and Green Ben:

The documents also make clear just how easy it is to execute a bulk surveillance regime from the trunk of a car: A Gemini “Quick Start Guide,” which runs to 54 pages, contains an entire chapter on logging, which “enables the user to listen and log over the air messages that are being transmitted between the Base Transceiver Station (BTS) and the Mobile Subscriber (MS).” It’s not clear exactly what sort of metadata or content would be captured in such logging. The “user” here, of course, is a police officer.

In order to maintain an uninterrupted connection to a target’s phone, the Harris software also offers the option of intentionally degrading (or “redirecting”) someone’s phone onto an inferior network, for example, knocking a connection from LTE to 2G:

A video of the Gemini software installed on a personal computer provides not only an extensive demonstration of the app but also underlines how accessible the mass surveillance code can be: Installing a complete warrantless surveillance suite is no more complicated than installing Skype. Indeed, software such as Photoshop or Microsoft Office, which require a registration key or some other proof of ownership, are more strictly controlled by their makers than software designed for cellular interception.

“While this device is being discussed in the context of U.S. law enforcement,” said Tynan, “this could be used by foreign agents against the U.S. public and administration. It is no longer acceptable for our phones and mobile networks to be exploited in such an invasive and indiscriminate way.”